We surveyed over 1100 applications to get a clearer sense of their support for encrypting data in transit.
Protecting the data of students needs to be a top priority. That is why Common Sense Education, in collaboration with over 100 schools and districts nationwide, launched the Privacy Evaluation Initiative to support educators, students, and parents in their effort to make informed decisions about the software being used on campuses throughout the country.
As we have discussed in the past, using encryption to protect data in transit is one of the most basic steps web sites can take to protect data. There are other steps that need to happen as well, but using encryption to safeguard information is a low bar. Technically, it’s equivalent to walking and chewing gum at the same time.
When we evaluate sites for the Privacy Evaluation Initiative we begin with a quick triage that includes testing for the use of encryption. A superficial test for encryption is straightforward: look for an “s” in the web address, or URL. If the URL begins with “https://” the site supports some level of encryption. If the URL begins with “http://” then encryption is not supported. While more detailed tests are required to fully understand if or how encryption is supported, this simple test can often indicate sites that don’t support encryption. This short (45 second) video shows how to run this basic test. We cover more comprehensive methods of testing for encryption in our Information Security Primer.
In the last two weeks of October, we ran automated tests on 1,221 logins used by 1,128 vendors that have products in schools around the country. We surveyed these login locations (login URLs) to assess the level of basic support for encryption. While our list of sites is not exhaustive, it is representative of websites from small developers, well-established companies, start-ups, privately held companies, and enterprise-level applications.
Our findings indicate that a significant number of vendors do not provide even basic support for encryption. While 52 percent of the 1,221 login URLs we surveyed require encryption, 25 percent do not support encryption at all, and an additional 20 percent do not require an encrypted connection.
The following are some of the observations in our data set from products that are used in thousands of school districts:
- A well-known vendor appears to have enabled encryption for districts in states that have laws requiring reasonable security, and not enabled encryption in some districts in other states. More research is needed on the extent of this issue.
- A product targeted to students of all ages within K–12 schools does not support encryption at all in a subset of their product offerings.
- Multiple vendors take a request for an encrypted connection and explicitly redirect it to an unencrypted connection – this appears to show an intentional decision to ignore best practice in favor of insecure practice.
The report accompanying this blog post goes into detail about what this survey covers, what it leaves out, and next steps. At this time, we are not making our complete list of vendors and their support or non-support for encryption public at this time. It is our goal that by sharing our survey data in the aggregate here, that vendors will work to improve how they support encryption over the next several months before our follow up report is released. Every vendor can and should test their sites to assess how they support encryption, and other basic security issues. We already indicate in our evaluations when an app doesn’t support encryption, and we are continuing to explore new ways of highlighting issues like these on our overview pages. In addition, we will be adding applications to our survey list and rerunning this evaluation approximately every 30 days.
Approximately 90 days from now — in late February or early March of 2017 — we will publish a follow-up post that highlights if, or how, things have changed from our initial survey results. Again, it is our goal that this paper is a catalyst for vendors to improve their practices when it comes to encryption. As we attempt to highlight in our paper, this survey is most useful as a snapshot of current data-security practices within the education technology industry. As we rerun this survey over the next few months, we will begin to get a sense of the trends within the industry. Hopefully, we will see an increase in the use of encryption. The need for strong and reliable security as the foundation for good software isn’t going away. The sooner we embrace it, the better.